similar to: [PATCH] hivex: Add byte runs for nodes and values

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

This patch adds value_byte_runs and node_byte_runs. Each byte run represents the offset and length of a data structure within the hive, one per node, and one or two per value depending on the length of the value data. These byte run functions also add additional data sanity checks as a hive is being parsed, mainly checking that a node address actually points to a node, and similarly for values.

RLenValue is similar to RLenType, though with one less argument. This required adding additional conversion functions for several languages' bindings. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 78 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

RLenValue is similar to RLenType, though with one less argument. This required adding additional conversion functions for several languages' bindings. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 78 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 78 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

Reporting value data in attributes has two advantages: * The output of hivexml breaks Python expat processing if binary data makes it out. This was observed in Software hives. * Not having child text makes room for child elements. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 25 ++++++++++++++++++++----- 1 files changed, 20 insertions(+), 5 deletions(-) diff

Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 42 ++++++++++++++++++++++++++++++++++-------- 1 files changed, 34 insertions(+), 8 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index d38e9d4..1a75593 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -247,6 +247,32 @@ node_end (hive_h *h, void *writer_v, hive_node_h node, const char *name) return 0;

Some of the data in names and string values were being unsafely printed, causing some types of XML processors to fail (e.g. Python's Expat). This patch checks for printability of each character and outputs base64 with an encoding attribute for unsafe data. --- xml/hivexml.c | 75 ++++++++++++++++++++++++++++++++++++++++++++++++-------- 1 files changed, 64 insertions(+), 11 deletions(-)

On Tue, Jan 31, 2012 at 12:21:44PM -0500, Todd Mummert wrote: > I've made some changes to hivexml.c, that I think addresses the > invalid XML that is being generated (as of version 1.3.3). I'm only > addressing invalid XML characters in string values and string-lists. > As I saw mentioned in earlier forum messages >

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds the node_mtime function to the visitor API. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> ---

Hi, When an integer argument is passed as value, node_set_value segfaults. Reproducer is at the end of this message The backtrace points at hivex-py.c, function get_value. While obj is non-NULL, `bytes = PyUnicode_AsUTF8String (obj);` returns NULL. Kind regards, Peter https://lekensteyn.nl #!/usr/bin/env python3 import hivex, sys h = hivex.Hivex(sys.argv[1]) print(h) val = {

Hi, This patch series is based on a prior patch[1], splitting off changes as requested and incorporating feedback from Richard Jones. It introduces type validation to avoid segmentation faults (instead, it reports an exception) and fixes handling of the bytes type in Python 3. Major changes since that series: - Drop newly introduced support for integer types for DWORD/QWORDS - Reject Unicode

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). This patch adds to the hivex ABI: * int64_t hivex_last_modified (hive_h *) * int64_t hivex_node_timestamp (hive_h *,

When calling croak on failure in the Perl code for RLenValue, add the %s placeholder for the strerror result. This makes the croak call just like all the others. Fixes commit 87e1be8ff3431ac81d721d5f647fc85d02e045dc. --- generator/generator.ml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/generator/generator.ml b/generator/generator.ml index 0401217..f2cb627 100755 ---

This changeset adds byte run reporters for node and value metadata in the hivexml program. This location reporting required several new ABI functions, which required new ABI return types. One benefit to the byte run functions is additional sanity checks, which have revealed new data or parsing errors when run on M57 patents images. An example error: Image: Charlie, 2009-12-11, available at

The infrastructure for modified-time reporting has been essentially unused. These changes report the registry time by treating the time fields as Windows filetime fields stored in little-Endian (which means they can be treated as a single 64-bit little-Endian integer). Some of the code changes necessary include: * Exposing the hive_h structure in the hivex header file (via generator.ml) *

New feature: If the root node of the XML root is the hive root node, denote with attribute/value root="1". Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- xml/hivexml.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/xml/hivexml.c b/xml/hivexml.c index 2967ac9..f29c80c 100644 --- a/xml/hivexml.c +++ b/xml/hivexml.c @@ -204,6 +204,10 @@

--- python/t/120-rlenvalue.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/t/120-rlenvalue.py b/python/t/120-rlenvalue.py index ebc48f5..a9b2129 100644 --- a/python/t/120-rlenvalue.py +++ b/python/t/120-rlenvalue.py @@ -38,5 +38,5 @@ moderate_value_node = h.node_get_child (root, "ModerateValueParent") moderate_value_value = h.node_get_value

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long (>4 bytes) value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 +++++++++ lib/hivex.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long (>4 bytes) value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 12 +++++++++ lib/hivex.c | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 72 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml

This patch adds value_data_cell_offset to the hivex ABI, to report the hive space used for long value data. Signed-off-by: Alex Nelson <ajnelson at cs.ucsc.edu> --- generator/generator.ml | 11 +++++++++++ lib/hivex.c | 45 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 0 deletions(-) diff --git a/generator/generator.ml